Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

New Smoke Loader Attack Targets Multiple Credentials

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

A recently detected Smoke Loader infection campaign is attempting to steal credentials from a broad range of applications, including web browsers, email clients, and more.

The attacks begin with malicious emails carrying a Word document as an attachment. Using social engineering, the attackers attempt to lure victims into opening the document and executing an embedded macro.

Once executed, the macro initiates a second stage and downloads the TrickBot malware, which instead fetches the Smoke Loader backdoor, Cisco Talos reports.

Smoke Loader has been long used as a downloader for various malware families, including banking Trojans, ransomware, and crypto-currency miners. In some of the previous campaigns, it was also used as a dropper for TrickBot, but it appears tables have turned now.

“Smoke Loader has often dropped Trickbot as a payload. This sample flips the script, with our telemetry showing this Trickbot sample dropping Smoke Loader. This is likely an example of malware-as-a-service, with botnet operators charging money to install third-party malware on infected computers,” Talos says.

The new backdoor variant, the security researchers reveal, doesn’t iterate through process lists to find a process to inject code into, but calls the Windows API GetShellWindow instead, then calls GetWindowThreadProcessId to get the process ID of evfdxplorer.exe. It also uses the PROPagate technique to inject code into Explorer.

First described in late 2017, the method hasn’t been adopted by another malware to date, and no public Proof-of-Concept (PoC) has been published to date. Smoke Loader is the first to use the technique, and FireEye too reported this last week.

The malware also includes a series of anti-analysis techniques, along with anti-debugging and anti-VM checks.

Unlike previous attacks, where Smoke Loader would drop additional payloads, the backdoor was observed receiving five plugins instead. Each plugin was executed in its own Explorer.exe process, but older techniques were used to inject each plugin into those processes. The attack ultimately results in six Explorer.exe processes running on the infected machine.

All of the plugins were designed to steal sensitive information from the victim machine and explicitly target stored credentials and sensitive information transferred over a browser.

The first plugin contains around 2,000 functions and targets Firefox, Internet Explorer, Chrome, Opera, QQ Browser, Outlook, and Thunderbird to steal hostname, username, and password data. Additionally, it attempts to steal information from the Windows Credential Manager, as well as POP3, SMTP, IMAP credentials.

The second plugin searches through directories for files to parse and exfiltrate. The third plugin injects into browsers to intercept credentials and cookies, the fourth attempts to steal credentials for ftp, smtp, pop3, and imap, while the fifth injects code into TeamViewer.exe for credential theft.

“We have seen that the Trojan and botnet market is constantly undergoing changes. The players are continuously improving their quality and techniques. They modify these techniques on an ongoing basis to enhance their capabilities to bypass security tools. This clearly shows how important it is to make sure all our systems are up to date,” Talos concludes.

Related: Microsoft Detects Massive Dofoil Attack

Related: TrickBot Gets Computer Locking Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...